OFAC Issues “A Framework for OFAC Compliance Commitments”
May 6, 2019
Summary and Action Alert
On May 2, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) released “A Framework for OFAC Compliance Commitments.” This Framework provides guidance for the creation of an effective sanctions compliance program for both U.S. organizations and foreign entities doing business in the U.S. or using U.S. goods or services. In their guidelines, OFAC strongly encourage organizations to adopt a risk-based sanctions compliance program (“SCP”). While the specifics of each SCP will vary, OFAC highlights five essential components to a successful SCP, and outlines many of the “root causes” that lead to sanctions violations.
The release of the Framework is part of a broader trend by regulators to provide greater clarity and transparency around the factors they deem significant in assessing the effectiveness of corporate compliance programs. Last week, the Department of Justice (“DOJ”) released similar guidance entitled “Evaluation of Corporate Compliance Programs” for white-collar prosecutors providing insight into the topics the DOJ’s Criminal Division has found relevant in evaluating a corporate compliance program.
DOJ’s guidance highlights many of the same factors that OFAC stresses in its Framework, including the importance of senior management commitment to compliance, periodic testing and review, and training of directors, officers, relevant employees, and, where appropriate, agents and business partners. More information on DOJ’s Guidance can be found in our recent alert here.
The Five Essential Components of Compliance and Assessing Root Causes of Violations
In the event that sanctions violations do occur, OFAC will favorably consider organizations which have effective SCPs at the time of the violation. This may result in the mitigation of a civil monetary penalty. OFAC may also look to the existence of an effective SCP in determining if a violation is “egregious” under OFAC’s Enforcement Guidelines. For an SCP to be considered as a mitigating factor for these purposes, it must be demonstrably effective—simply having an SCP on file is not enough.
In order to implement an effective SCP, OFAC has outlined five areas that organizations should adopt, update, or implement in their programs:
1. Management Commitment
- Management commitment as one of the most important factors in determining the success of an SCP.
- Management should ensure that adequate resources are provided to support compliance efforts within the company, including a designated OFAC sanctions compliance officer.
- Creating a “culture of compliance” throughout an organization starts with senior management. This means that senior management must take OFAC violations seriously.
2. Risk Assessment
- Risk assessment should identify risks regarding clients, products, services, and geographic locations in order to determine the likelihood of a potential OFAC sanctions violation.
- Risk assessment isn’t a one-time process, but should be conducted periodically to address changing scenarios and any root causes of violations identified by the organization.
- Risk assessment should always take place during on-boarding for new customers and during M&A transactions.
3. Internal Controls
- For an SCP to be effective, there must be internal controls that allow for the identification, record-keeping, and reporting on activities regulated by OFAC.
- Sanctions and export regulations are not static, and internal controls should be able to rapidly respond to changes in OFAC regulations and sanctions-related lists.
- Internal controls should be relevant to an organization’s day-to-day activities and there must be clear policies and procedures to ensure that the SCP is communicated to all employees.
4. Testing and Auditing
- Every SCP must be routinely tested and audited to ensure that it is effective and identify any weaknesses.
- Testing and auditing should be independent and objective, and the organization should be immediately responsive to any negative results that arise from a test or audit.
- Every SCP needs to have an OFAC-related training component for it to be effective. If employees aren’t trained to follow SCP policies and procedures, the program will not accomplish its goals.
- Training should happen frequently and adjust to any negative information revealed in the testing and auditing process.
- Training should reflect the products and services offered by each organization.
In the Framework, OFAC distills the root causes of many of the sanctions violations that have led to enforcement actions. These are broken down into ten subcategories, including:
- Misinterpreting OFAC regulations
- Failure to update sanctions-screening software
- Conducting ineffective or incomplete due diligence
- De-centralized compliance mechanisms and a lack of communication
- Utilization of unusual payment or commercial practices outside of industry standards
- Deliberate actions of individuals, in particular those working for U.S.-owned entities outside of the United States
If your organization already has an SCP in place, ensure that it is up to date, responsive to the Framework, and is able to adapt to frequently changing OFAC directives.
Review your implementation practices under any SCP. Training, audits, and tests should occur regularly, not on a one-time basis. How effective are your screening tools and programs?
Examine the “root causes” of sanctions violations listed by OFAC in the guidance. If any are relevant to your organization, take proactive steps to eliminate them or mitigate risk.
Remember, having an effective SCP will be factored into any mitigation of penalties imposed by OFAC in the event of a violation. This was already the case under OFAC’s Enforcement Guidelines, but the new Framework provides a roadmap for how to create an “effective” SCP to both avoid violations, and obtain the benefit of mitigation if need be. Existence of a compliance program is not enough—it must also be effective.
- The full text of the OFAC Framework can be found here.
- Important elements to consider in determining the sanctions risk rating can be found in OFAC’s risk matrices.
- A link to DOJ’s Guidance on Evaluation of Corporate Compliance Programs can be found here.
- For more information on the importance of compliance programs in international M&A, see our recent publication here.